[resolved] How is the user password encrypted? wp_hash_password (5 posts)

  1. mediabros
    Posted 5 years ago #

    I seems that wordpress encrypt the password of the user in a MD5 custom way. As you can see in the code below i am trying to compare the password out of the database with the one the user entered.

    I encrypting the posted password with md5 and wp_hash_password();
    note that one each refresh or another formpost the posted md5 and wp_hash_password(); gets a random output.

    My problem is now that i can't compare the passes. Anyone got a idea?

    global $userdata;
    global $wpdb; 
    //get the posted values
    $posted_username = $_POST['username'];
    $posted_password = $_POST['password'];
    $user_name = htmlspecialchars($posted_username,ENT_QUOTES);
    $pass_word = wp_hash_password($posted_password);
    $pass_md5 = md5($posted_password);
    $pass = $pass_word;
    $userinfo = get_userdatabylogin($user_name);
    if ( $pass == $userinfo->user_pass){
    		echo "yes";
    	} else 
    		echo "no<br />:";
    echo $pass;
    echo '<br />:';
    echo $userinfo->user_pass;
    echo '<br />:';
    echo $userinfo->ID;
    echo '<br />:';
    echo $userinfo->user_login;
    echo '<br />:';
    echo $pass_md5;
    echo '<br />:';
    echo wp_hash_password('mypassword');

    Returns the following values


    The random values on a refresh/rePOST

  2. Xephan
    Posted 5 years ago #

    WordPress uses the phpass library to do encryption. Although it can use md5 encryption, it's iterated for password stretching and it's stored somewhat differently that's why you see the $P$ prefix which is phpass' identifier for the encryption used.

    I'm not quite sure what you are trying to achieve, maybe login integration to WordPress from else where. In which case, you should simply compare the result from wp_hash_password (I haven't tried it and assume this is the correct function in WP) to what is stored on the database.

  3. Try something more like this:

    include '/wp-includes/class-phpass.php');
    $hash = $user->user_pass;
    $wp_hasher = new PasswordHash(8, TRUE);
    $check = $wp_hasher->CheckPassword($password, $hash);

    If $check is true, they match.

    BTW, the reason you can't generate the same hash twice is because of the use of a salt. Salting the password when hashing makes the hash harder to hack using dictionary attacks. This is why generating the hash again and comparing won't work. The hash isn't the same every single time. The check function takes part of the hash (the salt) and the password and recomputes the hash with that salt, thus allowing it to check properly.

  4. Xephan
    Posted 5 years ago #

    I'll recommend that to be forward compatible, use the wordpress wrapper functions instead of directly accessing the phpass function. We never know if WP devs or the site owner decide to change the hash parameters or add a new hasher option.

  5. True. You can use the wp_check_password() function, it's just a wrapper around this.

Topic Closed

This topic has been closed to new replies.

About this Topic